serverhack
Enthusiast
Enthusiast

Problems using card reader in published app

Hi,

I have published Internet Explorer 11 from a server via published App in Horizon. The users need to use a smart card reader connected to their computers and then transfer the connection to the connected application via Horizon Client.

The problem is that, when any user connects the USB smartcard reader to the app I receive an error at server that indicates:

ERROR 602 Smart Card Service : WDM Reader driver initialization cannot open reader device : Access Denied

So the web app loaded into the Internet Explorer puiblished app cannot access the certificates inside de card reader.

If I try to connect the smartcard reader via RDS connection with same user it works, so that makes me think it's a problem with some inside horizon agent and/or client.

Any clue?

Horizon v7.5

Horizon Client 4.10.0

Server Windows 2016 Standard

Thanks,

Jorge

0 Kudos
5 Replies
serverhack
Enthusiast
Enthusiast

Any clue on this?

0 Kudos
mchadwick19
Hot Shot
Hot Shot

A couple of things can be the culprit here.

- On your RDS system(s), do they have the correct SC drivers installed?

- Is the smart card redirection feature installed with the View agent?

- Are the CA's for the smart card installed properly within the RDS host?

Those are usually the top three issues that I've come across with being unable to use smart cards in a VDI/RDSH environment.

A quick test you can do is RDP to one of the RDS systems and redirect your smart card that way and test the web app. Also run from a command line "certutil -scinfo" to verify that your particular cards and certs can be read.

VDI Engineer VCP-DCV, VCP7-DTM, VCAP7-DTM Design
0 Kudos
serverhack
Enthusiast
Enthusiast

Hi,

  • The SC Drivers are installed on the RDS Server.
  • The Smart Card redirection feature isn't available when installing agent to server with RDS Host role. The available features (some) are:
    • USB Redirection (installed)
    • Client Drives redirection (installed)
    • Virtual printing (installed)
    • Scanner redirection (not installed)
    • Flash redirection (not installed)
    • HTML5 Multimedia redirection (not installed)
    • Device Bridge BAS complement (not installed)
  • Yes, the CAs are installed

If I connect via RDS to the server and transfer the SC reader to the server, it works perfectly. The problem is when I execute the app via published app, when I connect the SC reader to horizon client is when I can see the error on the server event logs.

The "certutil -scinfo" works when connecting to RDS.

Smiley Sad

0 Kudos
mchadwick19
Hot Shot
Hot Shot

Was unaware the SC redirection wasn't available with the RDS role - haven't really played around with remote apps and Smart Cards all that much yet.

However, are your users authenticating to the connection servers with SCs or Username/Password?

Are you able to see the USB device connecting properly in the Agent log/debug log?

VDI Engineer VCP-DCV, VCP7-DTM, VCAP7-DTM Design
0 Kudos
serverhack
Enthusiast
Enthusiast

The users authenticate vith horizon client with user/password. Then the client presents the published apps (Internet Explorer) to the user; I (or the user) connect to the IE app and then I transfer the SC reader to the app via USB configuration of Horizon Client.

At this point I see the following error in the Windows Event Log:

pastedImage_0.png

In english: wdm reader driver initialization cannot open reader device. Error 602.

In agent logs I see the following entries related to the SC reader:

     2019-04-10T16:22:09.238+02:00 INFO  (0FD0-146C) <MessageFrameWorkShare> [pcoip_mfw] service: register of virtual channel Smart Card Virtual Channel ok

But the card reader doesn't work.

0 Kudos